What US Companies Need to Know as EU Adopts Cybersecurity Directive

Not all the news coming out of Europe these days is about Brexit. In fact, the forces of unity and harmonization remain a top priority for European regulators hoping to combat digital security threats and create a safer and more secure environment for the entire online community. To this end, on July 6, 2016, the European Parliament adopted the Network and Information Security (“NIS”) Directive in an effort to enhance cybersecurity and incident reporting at a national level across all of its member states (“NIS Directive”).

This move followed an announcement the day before from the European Commission (the “Commission”) that it had launched a public-private initiative that will steer €1.8 billion of investment into cybersecurity by 2020. According to a recent survey cited by the Commission, 80% or more of European companies were victims of a cybersecurity incident during the last year and the number of such incidents increased globally across all industries by 38% in 2015. The Commission’s Vice President in charge of the Digital Single Market, Andrus Ansip, commented that “without trust and security, there can be no Digital Single Market” and that “Europe has to be ready to tackle cyber-threats that are increasingly sophisticated and do not recognize borders.” The NIS Directive is a major step in this direction.

US companies take note! Large multinationals may be subject to the NIS Directive even without a physical presence in the EU as the NIS Directive applies to two types of service providers:

Operators of “essential services,” such as companies involved with energy, transport, banking, financial markets infrastructure, health, water and digital infrastructure; and

Digital service providers (“DSPs”), which at a minimum will likely include online marketplaces, online search engines and cloud computing services.

Although the jurisdictional and application-of-law principles are yet to be worked out, companies that fit the definition of a DSP and that interact with the European market in some meaningful way should expect to fall under the national law of one of the EU member states that has implemented the NIS Directive. Note that micro businesses (fewer than 10 persons / €2 million annual turnover and/or balance sheet total) and small business (fewer than 50 persons / €10 million annual turnover and/or balance sheet total) are generally exempt from the NIS Directive.

For those companies who will need to comply (e.g. Ebay, Google, Amazon, and many others), their compliance responsibilities will be wide-ranging and include, among other things:

Implementation of “appropriate and proportionate technical and organizational measures” to protect networks and information systems;

Ensuring that digital security is adequate to address known risks;

Incident response designed to prevent and minimize the impact of security incidents on affected individuals; and

Notification obligations to relevant national authorities when security incidents occur that have a “substantial impact” on a covered digital service or a “significant impact” on a covered essential service.

Companies subject to the NIS Directive will have some time to prepare for compliance. Since EU member states will have 21 months to implement the NIS Directive into their national laws after it goes into force in August 2016, the European Union’s harmonization of its cybersecurity standards may not be complete until May 2018 or later.